IT security news on the latest technology and the number one resource for your hardware and software needs.
Visit us at www.hyphenet.com

Wednesday, September 25, 2013

Filecoder: Your data is being held at ransom

Trojans put messages into user files and try to demand a ransom from
victims in exchange for a decryptor utility. Ransomeware is commonly
known as a locked screen on your desktop, which tries to scare you into
making some kind of payment to regain access to your computer again.

This is an old issue but it is noted to be a significant increase in Filecoder activity this summer.

Statistics
on ESET LiveGrid telemetry shows Win32/Filecoder detections have risen
by 200% just in the last few months. From January to June 2013 the
detections have been at a normal level, but the spike since July is
alarming.

Infection Trajectory

Cybercriminals that incorporate Filecoder randomware use various methods of getting the malware to victims' systems:

Downloads from malware-laden websites

E-mail attachments

Trojan-downloader or backdoor

Manual instillation (this hurts the most)

Infection vectors

A
scenario of the Win32/Filecoder.Q or the
Win32/Filecoder.AA/Win32/Filecoder.W spreads through back-doors such as
the Poison-Ivy R.A.T. Victims are being sent the Poison-Ivy backdoor
through email and are enticed to execute the malware onto their
computer. The C&C (command and control) server waits for the
commands then the attacker would send the Filecoder Trojan to the
infected mainframe.

The Trojan is not stored as a file on the hard drive, but is ran in the memory of the computer.

There
are other cases where the attacker manages to install Filecoder
ransomware through Remote Desktop Protocal. The keylogger is infected
and weak passwords enable the attacker to gain full access to the aimed
machine.

This "break in" disables antivirus protection while installing malware onto the compromised desktop.
Sometimes
manual installation is needed due to the fact that a number of variants
call for "user interaction", to set the encryption password.